使用证书对http加密
获取证书
1.生成秘钥
[root@zyy180 ~]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
......................................................................................................................................................................+++
e is 65537 (0x10001)
2.生成秘钥请求文件
[root@zyy180 ~]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:zyy
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.zyy.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.生成证书crt
[root@zyy180 ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=hubei/L=wuhan/O=zyy/CN=www.zyy.com
Getting Private key
4.复制证书到指定位置
[root@zyy180 ~]# ls
anaconda-ks.cfg server.crt server.csr server.key yum.sh
[root@zyy180 ~]# cp server.crt /etc/pki/tls/certs/
[root@zyy180 ~]# cp server.key /etc/pki/tls/private/
[root@zyy180 ~]# cp server.csr /etc/pki/tls/private/
使用证书
1.安装mode_ssl模块
[root@zyy180 ~]# yum ‐y install mod_ssl
2.编辑/etc/httpd/conf.modules.d/00‐base.conf文件
[root@zyy180 ~]# vim /etc/httpd/conf.modules.d/00-base.conf
LoadModule ssl_module modules/mod_ssl.so
有这条,直接取消注释就好
3配置ssl,默认https服务使用此配置文件
[root@zyy180 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
最下面
4.编辑 httpd-vhosts.conf,加入ssl
[root@zyy180 ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/server.key"